Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nathanejohnson/whichca

Unbreaker of chains! Site certificate verification utility / fixer of missing intermediates / generator of minimum CA bundle for a given use case / fetcher of CA bundle.
https://github.com/nathanejohnson/whichca

certificate-bundle command-line command-line-tool golang rsa x509 x509chain

Last synced: about 1 month ago
JSON representation

Unbreaker of chains! Site certificate verification utility / fixer of missing intermediates / generator of minimum CA bundle for a given use case / fetcher of CA bundle.

Host: GitHub
URL: https://github.com/nathanejohnson/whichca
Owner: nathanejohnson
License: mit
Created: 2017-11-22T19:47:18.000Z (about 7 years ago)
Default Branch: master
Last Pushed: 2024-02-12T22:58:59.000Z (11 months ago)
Last Synced: 2024-10-14T20:55:50.184Z (3 months ago)
Topics: certificate-bundle, command-line, command-line-tool, golang, rsa, x509, x509chain
Language: Go
Homepage:
Size: 70.3 KB
Stars: 2
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

This is a utility for
- Verifying a website presents enough information to validate a chain of trust
- Failing said verification, determine which intermediate certs (if any)
could be added to the CA bundle to get it to a verified chain
- Can be used to download a CA bundle from the web (defaults to
curl.se's mozilla bundle)
- Can determine what the minimum CA bundle a client would need to verify
a site / list of sites or certificate bundle files.
- Can dump the system's default CA bundle (see limitations below)

#### Usage:

### Subcommands:

## check

This is to check a site or a pem certificate file to see if it is trusted
against either the system default CA bundle (default) or a CA bundle file specified
with the -ca option. This will also provide an option to dump any missing
intermediates needed to correct the configuration.

(njohnson@greyeagle:~)% whichca check -hp google.com:443 -hp bing.com:443
*.google.com is good!
www.bing.com is good!
(njohnson@greyeagle:~)%

## fetchca

This is to download and (optionally) verify a PEM CA bundle from a remote website
. It defaults to the mozilla PEM bundle provided by curl.se. Please don't
script this in such a way that it downloads the file more than once a day, but
since I actually default to stdout I don't have a good way to check file age
and do any attempt to enforce this.

(njohnson@greyeagle:~)% whichca fetchca -out ca.pem
verified 129 certificates in bundle downloaded from https://curl.se/ca/cacert.pem
(njohnson@greyeagle:~)%

Note this verification is only that the certificates are parsable and valid.
## minca

This is a command for determining the minimum CA bundle needed to validate a list
of certificate bundles or websites.

For a local certificate bundle:

whichca minca -p /path/to/cert/bundle.crt

or for a remote certificate at a given hostname:port

whichca minca -hp host.whatever.com:443

If all goes well, it will spit out the PEM encoded version of the chain leading to the root certificate, minus the
certificate and intermediates found in the cert bundle(s) passed.

### dumpca

Additionally, on platforms that aren't Windows-based, it can be used
to get a full dump of the default system certificate bundle, with the following:

whichca dumpca

On macOS this uses the `security find-certificate -ap` utility, which is what golang
did under the covers until recently when they decided to defer to the darwin keychain api
for verification. There are some caveats here, one being that the darwin keychain
is more lax than the golang x509 parser, so some certs in the keychain might not get
parsed correctly by golang. In the case it finds one of these, it will print the
certificate in PEM form on stderr with a warning in the comments. See
[here](https://github.com/golang/go/issues/47689) for details. All
verified certificates will be printed on stdout. On other *nix platforms,
this calls `x509.SystemCertPool` and does some reflect nastiness to ferret out the certs.

## Flags

You can mix and match host:port and pathspec definitions on the same command,
specifying any number of each

For example, this is valid:

whichca minca -hp host.whatever.com:443,host2.whatever.com:443 -p '/path/to/*.crt' -p ./mycert.crt

Note the single quotes around the wildcard above. This is necessary to keep the shell from intercepting the wildcard
character.

To install, download a release binary from the releases page on github (preferred),
or to install from source simply:

go install github.com/nathanejohnson/whichca@latest